Σχόλια 0

Το κείμενο του εγγράφου

THÈSE DE DOCTORATDE L’UNIVERSITÉ PARIS 6 – PIERRE ET MARIE CURIEdiscussed byDaniele Raffoon September 15,2005to obtain the degree ofDocteur de l’Université Paris 6Discipline:Computer ScienceHost laboratory:INRIA RocquencourtSecurity Schemes for the OLSR Protocolfor Ad Hoc NetworksThesis Director:Dr.Paul MühlethalerJuryReviewers:Dr.Ana CavalliDr.Ahmed SerhrouchniInstitut National des TélécommunicationsEcole Nationale Supérieure des TélécommunicationsExaminers:Dr.François BaccelliDr.François MorainDr.Paul MühlethalerDr.Guy PujolleEcole Normale SupérieureEcole PolytechniqueINRIA RocquencourtUniversité Paris 6Guests:Dr.Daniel AugotDr.Philippe JacquetINRIA RocquencourtINRIA Rocquencourttel-00010678, version 1 - 18 Oct 2005tel-00010678, version 1 - 18 Oct 2005THÈSE DE DOCTORATDE L’UNIVERSITÉ PARIS 6 – PIERRE ET MARIE CURIEprésentée parDaniele Raffole 15 Septembre 2005pour obtenir le grade deDocteur de l’Université Paris 6Spécialité:InformatiqueLaboratoire d’accueil:INRIA RocquencourtSchémas de sécurité pour le protocole OLSRpour les réseaux ad hocDirecteur de Thèse:M.Paul MühlethalerJuryRapporteurs:Mme Ana CavalliM.Ahmed SerhrouchniInstitut National des TélécommunicationsEcole Nationale Supérieure des TélécommunicationsExaminateurs:M.François BaccelliM.François MorainM.Paul MühlethalerM.Guy PujolleEcole Normale SupérieureEcole PolytechniqueINRIA RocquencourtUniversité Paris 6Invités:M.Daniel AugotM.Philippe JacquetINRIA RocquencourtINRIA Rocquencourttel-00010678, version 1 - 18 Oct 2005tel-00010678, version 1 - 18 Oct 2005Dedicated to the memory of my grandfather Vincenzotel-00010678, version 1 - 18 Oct 2005tel-00010678, version 1 - 18 Oct 2005AbstractWithin the domain of wireless computer networks,this thesis examines the securityissues related to protection of packet routing in ad hoc networks (MANETs).Thisthesis classiﬁes the different possible attacks and examines in detail the case ofOLSR (Optimized Link State Routing protocol).We propose a security architec-ture based on adding a digital signature,as well as more advanced techniques suchas:reuse of previous topology information to validate the actual link state,cross-check of advertised routing control data with the node’s geographical position,andintra-network misbehavior detection and elimination via ﬂowcoherence control orpassive listening.Countermeasures in case of compromised routers are also pre-sented.This thesis also assesses the practical problems concerning the choice ofa suitable symmetric or asymmetric cipher,the alternatives for the algorithm ofcryptographic keys distribution,and the selection of a method for signature times-tamping.KeywordsAd hoc network,routing,link state,OLSR,security,digital signaturetel-00010678, version 1 - 18 Oct 2005RésuméCette thèse examine les problématiques de sécurité liées à la protection du routagedans les réseaux ad hoc (MANETs).La thèse classiﬁe les différentes attaques quipeuvent être portées et examine en détail le cas du protocole OLSR (OptimizedLink State Routing).Une architecture de sécurisation basée sur l’ajout d’une sig-nature numérique est étudiée et proposée.D’autres contre-mesures plus élaboréessont également présentées.Ces dernières incluent:la réutilisation d’informationstopologiques précédentes pour valider l’état de lien actuel,l’évaluation de la véridic-ité des messages par analyse croisée avec la position géographique d’un noeud,etla détection des comportements suspects à l’intérieur du réseau par le contrôlede cohérence des ﬂux ou l’écoute passif.La thèse analyse aussi les problèmespratiques liées à la choix de l’algorithme de signature et la distributions des cléscryptographiques,et propose aussi des parades même en présence de noeuds com-promis.Mots clésRéseau ad hoc,routage,état de lien,OLSR,sécurité,signature numériquetel-00010678, version 1 - 18 Oct 2005ContentsContents 9Foreword 131 Introduction to wireless networking 161.1 Standards..............................161.1.1 IEEE 802.11........................171.1.2 HiperLAN.........................181.1.3 Bluetooth..........................181.2 Architecture.............................181.2.1 BSS mode.........................191.2.2 IBSS mode.........................191.2.3 Ad hoc network.......................191.3 Advantages and disadvantages...................201.4 Routing protocols for ad hoc networks...............231.4.1 Reactive protocols.....................231.4.2 Proactive protocols.....................241.4.3 Hybrid protocols......................251.4.4 The Optimized Link State Routing protocol........262 Systemsecurity 322.1 Cryptography basics........................332.1.1 Symmetric cryptography..................342.1.2 Asymmetric cryptography.................362.1.3 Symmetric vs.asymmetric cryptography.........383 Attacks against ad hoc networks 403.1 Attacks against the routing layer in MANETs...........403.1.1 Incorrect trafﬁc generation.................413.1.2 Incorrect trafﬁc relaying..................423.2 Attacks against the OLSR protocol.................443.2.1 Incorrect trafﬁc generation.................453.2.2 Incorrect trafﬁc relaying..................473.3 Summary of routing attacks.....................49tel-00010678, version 1 - 18 Oct 200510 CONTENTS4 Security in ad hoc networks:basic mechanisms 514.1 Protection of the routing protocol..................514.2 State of the art............................524.2.1 IPsec............................524.2.2 Routing protocols using digests or signatures.......534.2.3 Other solutions.......................554.3 Secured versions of OLSR.....................564.3.1 Packet protection......................574.3.2 Message protection.....................574.3.3 Trust Metric Routing....................575 The OLSRsignature message 595.1 Speciﬁcations............................595.1.1 Format of the signature message..............615.1.2 The timestamp.......................635.1.3 The signature algorithms..................635.1.4 Applicability to control messages.............645.1.5 Optional features......................655.1.6 Interoperability with standard OLSR............655.2 Modiﬁcations to the standard OLSR protocol...........655.2.1 Sending a signed control message.............665.2.2 Changes to the Duplicate Set................665.2.3 Receiving and checking a signed control message.....665.3 Resilience..............................685.4 Overhead..............................685.4.1 Message sizes for the standard OLSR...........695.4.2 Message sizes for OLSR with signatures..........705.4.3 Flowrates..........................705.4.4 Comparison with other solutions..............706 Cryptosystems for the ad hoc environment 736.1 Requirements............................736.2 Algorithm analysis.........................746.2.1 Benchmarks.........................746.3 Key management..........................766.3.1 Threshold cryptography..................766.3.2 Self-organized PKI.....................776.3.3 Identity-based cryptosystems................776.3.4 Imprinting.........................776.3.5 Probabilistic key distribution................786.3.6 Difﬁe-Hellman key agreement...............786.3.7 A simple PKI for OLSR..................78tel-00010678, version 1 - 18 Oct 2005CONTENTS 117 Timestamps 837.1 No timestamps...........................847.2 Real-time timestamps........................857.3 Non-volatile timestamps......................867.4 Clock synchronization.......................877.4.1 Timestamp exchange protocol...............888 Security in ad hoc networks:advanced mechanisms 928.1 Compromised nodes........................929 Using multiple signatures in OLSR 949.1 Topology continuity.........................949.2 Link Atomic Information......................959.3 Required proofs...........................969.4 The Certiproof Table........................979.5 The ADVSIG message.......................989.6 The protocol.............................1009.6.1 Implementation of the algorithm..............1019.6.2 Outline of the algorithm..................1019.6.3 Detailed algorithm.....................1029.7 Overhead..............................1049.8 Resilience and remaining vulnerabilities..............10510 Using information about node location 10710.1 State of the art............................10710.2 GPS-OLSR.............................10810.2.1 Speciﬁcations........................10810.2.2 Resilience..........................11010.2.3 The protocol........................11110.3 Using a directional antenna to obtain extended accuracy......11210.4 Numerical evaluation........................11310.5 Overhead..............................11411 Detecting bad behaviors 11611.1 State of the art............................11611.1.1 Watchdog/Pathrater.....................11711.1.2 CONFIDANT........................11811.1.3 WATCHERS........................11811.2 A trust system for OLSR......................11811.2.1 Speciﬁcations........................11911.2.2 Punishment and reward...................12011.2.3 Detection of a misbehaving node:countermeasures....12111.2.4 Variations on the theme of trust evaluation.........12111.2.5 Precise checks on ﬂow conservation............122tel-00010678, version 1 - 18 Oct 200512 CONTENTS11.3 A last word about enforcing security................12312 Conclusion 12612.1 Foresights..............................127A Résumé détaillé de la thèse 128A.1 Introduction aux réseaux sans ﬁl..................128A.1.1 Les protocoles de routage pour les réseaux ad hoc.....128A.1.2 Le protocole OLSR.....................129A.2 Sécurité des systèmes........................129A.3 Attaques contre les réseaux ad hoc.................130A.3.1 Attaques contre les MANETs au niveau du routage....130A.3.2 Attaques contre le protocole OLSR............132A.4 Sécurité dans les réseaux ad hoc:mécanismes de base.......133A.4.1 Protection du protocole de routage.............134A.5 Le message de signature dans OLSR................134A.5.1 Spéciﬁcations du projet...................134A.5.2 Modiﬁcations du protocole OLSR standard........135A.6 Systèmes cryptographiques pour les environnements ad hoc....136A.6.1 La gestion des clés.....................136A.7 Estampillage temporel.......................137A.8 Sécurité dans les réseaux ad hoc:mécanismes avancés......138A.9 Signatures multiples dans OLSR..................139A.9.1 Information atomique sur l’état de lien...........139A.9.2 Preuves requises......................140A.9.3 Le protocole........................140A.10 Utilisation des informations sur la position des nœuds.......141A.10.1 GPS-OLSR.........................141A.11 Détection des comportements hostiles...............142A.11.1 Un système pour OLSR basé sur la conﬁance.......142A.11.2 Contrôles précis sur la conservation du ﬂux........143A.12 Conclusion.............................143A.12.1 Perspectives.........................144List of Figures 145List of Tables 147Bibliography 148tel-00010678, version 1 - 18 Oct 2005ForewordMy work examines the security issues related to the protection of the routing pro-tocol in ad hoc networks,and more speciﬁcally of the OLSR protocol.OLSR hasbeen developed by the HIPERCOM project group1at INRIA,the National Re-search Institute in Computer Science and Control,based in Rocquencourt,France.OLSR was not designed with security in mind.Consequently,it is easy to ﬁndways to maliciously perturb the correct functioning of the protocol.The aimof mydoctoral researches,carried out in the HIPERCOMworkgroup,was to explore thepossible attacks and countermeasures to secure OLSR.This has led to the design ofsecurity extensions for OLSR,described in ﬁve papers published in internationalconferences [2,130,131,132,4] and in an INRIAResearch Report [3].I have alsocontributed in the writing of an Internet-Draft [30].Structure of the thesisChapter 1 introduces the domain of wireless networking discussing the differenttypes of architectures,and introduces the ad hoc networks by giving examples ofrouting protocols and a detailed overview of OLSR.Chapter 2 handles the problem of system security,explaining the basics ofcryptography.Chapter 3 provides a taxonomy of the attacks at the routing level inMANETs,and more speciﬁcally of the attacks against the OLSR protocol.Chapter 4 outlines the countermeasures that can be taken in order to securea wireless network,and gives some basic mechanisms (relying mainly on digestsand digital signatures) to protect different routing protocols.A basic mechanismdesigned to secure the OLSR protocol is expounded in Chapter 5.Chapter 6 debates the major choices that must be done in order to select asuitable cryptographic architecture,and discusses problematics related to the im-plementation of a Public Key Infrastructure on an ad hoc network,with a proposalfor OLSR.Chapter 7 offers a detailed view over the problem of a correct times-tamping.Chapter 8 introduces the topic of more advanced techniques to secure the rout-ing protocol,in particular when the network has been compromised from the in-side.The subsequent chapters present different studies concerning elaborated pro-1http://hipercom.inria.fr/olsrtel-00010678, version 1 - 18 Oct 200514 FOREWORDtection techniques for OLSR.Chapter 9 examines the insertion of old topologyinformation in control messages to validate the actual link state,and Chapter 10examines the use of GPS devices to cross-check advertised routing control datawith information regarding the node’s geographical position.Another detectiontechnique,presented in Chapter 11,consists in the detection of intra-network mis-behaviors;this is done by passive listening or controls on ﬂow coherence.Last,Chapter 12 concludes the thesis.Appendix A is an extended résumé of the thesis in the French language;everychapter of the thesis is condensed into a section of the résumé.Style conventionsThis thesis utilizes the following style conventions:   HELLOOriginator Addressnodestime at instant 0timestamp generated by Atimestamp generated by A at instant 0store the value 0 insends the message,signed by,totupleOLSR (or derived protocol) control messageﬁeld of an OLSR message or packetAcknowledgementsThis doctoral thesis has been completed also thanks to many persons which con-tributed with suggestions,thoughts,and constructive criticisms.I take thereforethe occasion to brieﬂy mention them here.I amgreatly indebted to my thesis director Paul Mühlethaler,and with researchdirector Philippe Jacquet,who welcomed me in the HIPERCOMproject at INRIA.I am glad having spent my doctoral work within such a team.Paul guided meduring my researches,and has been a very available and patient supervisor;hisprofessional knowledge and constant support helped me proceed throughout mystudies.I am grateful also to Guy Pujolle for accepting to be my thesis director atUPMC.Thanks to the INRIA for the ﬁnancial grant.My thanks to all members of the jury of the thesis dissertation:François Bac-celli,Ana Cavalli,François Morain,Paul Mühlethaler,Guy Pujolle,and AhmedSerhrouchni.Besides participating in the jury,Ana Cavalli and Ahmed Serhrouchniaccepted to devote their time in reviewing my thesis,providing very constructivecomments and criticisms.I express my gratitude to François Baccelli,as well as toMesaac Makpangou,also for being my pre-reviewers.tel-00010678, version 1 - 18 Oct 200515The whole INRIAHIPERCOMteamdeserves a special appreciation for an ex-ceptionally friendly environment.In particular,I cannot certainly forget ThomasClausen,who always provided me with his extremely useful and encouraging ad-vices,and illustrated me the “1.3-year Ph.D.panic schedule”.Thanks to CédricAdjih and Géraud Allard for their useful ideas and for helping me in hacking myLinux box.Thanks to Pascale Minet for re-reading parts of the thesis.Thanks toDang-Quan Nguyen,Amina Meraihi Naimi,Saadi Boudjit,and Adokoé Plakoo fortheir cooperation and their valuable tips.Thanks very much to Daniel Augot and Raghav Bhaskar (INRIACODES) and,again,to François Morain (LIX) for the helpful discussions on cryptography,inspite of their busy timetable.Thanks to Xiaoyun Xue (ENST) for spotting a ﬂawinthe ADVSIGarchitecture.Joe Macker (NRL) and his group,Justin Dean included,Andreas Hafslund and Eli Winjum (UniK),and Ricardo Staciarini Puttini (UNB)contributed with discussions and links about securing OLSR.Richard James and Ishak Binudin helped in correcting the manuscript;thanksto Richard also for being always available to examine my scientiﬁc papers.Several people helped me in a way or another during these three years.There-fore I take the occasion to thank,in no particular order,Marco Perisi,Marﬁ Giaguwith Patrick Marcellin,Xanthi Kapsosideri,Eufrosine Andreou,Anne Dautzen-berg,Cécile Bredelet,Charles Saada,Karina with Erik Fjeldstad,Jacques Henry,Claire Alexandre,Eliane Launay with Gilles Scagnelli,Aïssa Amoura,ChristianTourniaire,Danielle Croisy,Saholy with Stéphane Grolleau,and Vincent Luc-quiaud.Thanks to Matteo,Salvio,Federico,Marta,and all others for our Italiansonlinecommunity in Paris!My deepest thanks,and apologies,to Sophie for her support,patience and un-derstanding during the writing of my thesis.Last but not least,thanks a lot to my family,for always supporting me duringmy studies abroad.tel-00010678, version 1 - 18 Oct 2005Chapter 1Introduction to wirelessnetworkingIn wireless networks [102,45],computers are connected and communicate witheach other not by a visible medium,but by emissions of electromagnetic energy inthe air.The most widely used transmission support is radio waves.Wireless transmis-sions utilize the microwave spectre:the available frequencies are situated aroundthe 2.4 GHz ISM(Industrial,Scientiﬁc and Medical) band for a bandwidth of about83 MHz,and around the 5 GHz U-NII (Unlicensed-National Information Infras-tructure) band for a bandwidth of about 300 MHz divided into two parts.The exactfrequency allocations are set by laws in the different countries;the same laws alsoregulate the maximum allotted transmission power and location (indoor,outdoor).Such a wireless radio network has a range of about 10–100 meters to 10 Km permachine,depending on the emission power,the data rate,the frequency,and thetype of antenna used.Many different models of antenna can be employed:omnis(omnidirectional antennas),sector antennas (directional antennas),yagis,parabolicdishes,or waveguides (cantennas).The other type of transmission support is the infrared.Infrared rays cannotpenetrate opaque materials and have a smaller range of about 10 meters.For thesereasons,infrared technology is mostly used for small devices in WPANs (WirelessPersonal Area Networks),for instance to connect a PDAto a laptop inside a room.1.1 StandardsThere are presently three main standards for wireless networks:the IEEE 802.11family,HiperLAN,and Bluetooth.tel-00010678, version 1 - 18 Oct 2005STANDARDS 171.1.1 IEEE 802.11IEEE 802.11 [108] is a standard issued by the IEEE (Institute of Electrical andElectronics Engineers).Fromthe point of viewof the physical layer,it deﬁnes threenon-interoperable techniques:IEEE 802.11 FHSS (Frequency Hopping SpreadSpectrum) and IEEE 802.11 DSSS (Direct Sequence Spread Spectrum),which useboth the radio medium at 2.4 GHz,and IEEE 802.11 IR (InfraRed).The achieveddata rate is 1–2 Mbps.This speciﬁcation has given birth to a family of other stan-dards:IEEE 802.11a [71] (marketed as Wi-Fi5) operates in the 5 GHz U-NII band us-ing the OFDM(Orthogonal Frequency Division Multiplexing) transmissiontechnique,and has a maximum data rate of 54 Mbps.IEEE 802.11a is in-compatible with 802.11b,because they use different frequencies.IEEE 802.11b [72] (marketed as Wi-Fi) is the de facto standard in wireless net-working,and operates in the 2.4 GHz ISMband.The data rate is 1,2,5 or11 Mbps,automatically adjusted depending on signal strength.The trans-mission range depends on the data rate,varying from 50 meters indoor (200meters outdoor) for 11 Mbps,to 150 meters indoor (500 meters outdoor) for1 Mbps;the transmission range is also proportional to the signal power.IEEE 802.11g [73] operates in the 2.4 GHz band and has a data rate of up to 20Mbps.It uses both OFDMand DSSS to ensure compatibility with the IEEE802.11b standard.Another standard currently under development,IEEE 802.16 [75] (marketed asWiMAX),is designed for WMANs (Wireless Metropolitan Area Networks) andtherefore to overcome the range limitations of IEEE802.11.It operates on frequen-cies from 10 to 66 GHz,and should ensure network coverage for several squareKm.From the IEEE 802.16 standard derives IEEE 802.16a,that operates on the2-11 GHz band and should solve the line-of-sight problems deriving from usingthe 10-66 GHz band.Channel access techniquesThe crucial point in channel access techniques for wireless networks is that it isnot possible to transmit and to sense the carrier for packet collisions at the sametime.Therefore there is no way to implement a CSMA/CD(Carrier Sense MultipleAccess/Collision Detection) protocol such as in the wired Ethernet.IEEE 802.11 uses a channel access technique of type CSMA/CA,which ismeant to perform Collision Avoidance (or at least to try to).The CSMA/CA pro-tocol states that a node,upon sensing that the channel is busy,must wait for aninterframe spacing before attempting to transmit,then choose a random delay de-pending on the Contention Window.tel-00010678, version 1 - 18 Oct 200518 INTRODUCTIONTO WIRELESS NETWORKINGThe reception of a packet is acknowledged by the receiver to the sender.If thesender does not receive the acknowledgement packet,it waits for a delay accord-ing to the binary exponential backoff algorithm,which states that the ContentionWindow size is doubled at each failed try.Unicast data packets are sent using a more reliable mechanism.The sourcetransmits a RTS (Request To Send) packet for the destination,which replies witha CTS (Clear To Send) packet upon reception.If the source correctly receives theCTS,it sends the data packet.1.1.2 HiperLANHiperLAN (High Performance Radio LAN) is a standard issued by the ETSI (Eu-ropean Telecommunications Standard Institute),and a competitor of IEEE 802.11.It deﬁnes two kinds of networks:HiperLAN 1 [42] uses the 5 GHz band and offers a data rate of 10–20 Mbps.HiperLAN 2 [44,43] uses the 5 GHz band and offers a data rate up to 54 Mbps.A related standard is HiperMAN,rival of IEEE 802.16 and aimed at providingmetropolitan area coverage.It operates in the 2–11 GHz band.1.1.3 BluetoothBluetooth1is a standard designed by a consortium of private companies such asAgere,Ericsson,IBM,Intel,Microsoft,Motorola,Nokia and Toshiba.Bluetoothoperates in the 2.4 GHz band using FHSS and has a short range of action of about10 meters.For such characteristics and its low cost,Bluetooth is ﬁt for smallWPANs and is also employed to connect peripherals such as keyboards,printers,or mobile phone headsets.Bluetooth radio technology works in a master-slavefashion,and each device can operate as master or as slave.Communications areorganized in small networks called piconets,each piconet being composed of amaster and 1–7 active slaves.Multiple piconets can overlap to forma scatternet.1.2 ArchitectureA wireless network can be structured to function in either BSS (Basic Service Set)or IBSS (Independent Basic Service Set) mode.The two modes affect the topologyand the mobility capabilities of the machines (nodes) that compose the network.1http://www.bluetooth.orgtel-00010678, version 1 - 18 Oct 2005ARCHITECTURE 19Figure 1.1:BSS mode:an Access Point and its network cell.1.2.1 BSS modeIn BSS mode,also called infrastructure mode,a number of mobile nodes are wire-lessly connected to a non-mobile Access Point (AP),as in Figure 1.1.Nodes com-municate via the AP,which may also provide connectivity with an external wirednetwork e.g.the Internet.Several BSS networks may be joined to form an ESS(Extended Service Set).1.2.2 IBSS modeThe IBSS mode,also called peer to peer or ad hoc mode,allows nodes to commu-nicate directly (point-to-point) without the need for an AP,as in Figure 1.2.Thereis no ﬁxed infrastructure.Nodes need to be in range with each other in order tocommunicate.1.2.3 Ad hoc networkAn ad hoc network,or MANET (Mobile Ad hoc NETwork),is a network com-posed only of nodes,with no Access Point.Messages are exchanged and relayedbetween nodes.In fact,an ad hoc network has the capability of making commu-nications possible even between two nodes that are not in direct range with eachtel-00010678, version 1 - 18 Oct 200520 INTRODUCTIONTO WIRELESS NETWORKINGFigure 1.2:IBSS mode.other:packets to be exchanged between these two nodes are forwarded by inter-mediate nodes,using a routing algorithm.2Hence,a MANET may spread over alarger distance,provided that its ends are interconnected by a chain of links be-tween nodes (also called routers in this architecture).In the ad hoc network shownin Figure 1.3,nodecan communicate with nodevia nodesand,and viceversa.A sensor network is a special class of ad hoc network,composed of devicesequipped with sensors to monitor temperature,sound,or any other environmentalcondition.These devices are usually deployed in large number and have limited re-sources in terms of battery energy,bandwidth,memory,and computational power.1.3 Advantages and disadvantagesA wireless network offers important advantages with respect to its wired homo-logue:The main advantage is that a wireless network allows the machines to befully mobile,as long as they remain in radio range.2An ad hoc network must not be confused with a network in ad hoc mode.In ad hoc mode,nodesdo not relay packets (multihop not implemented).tel-00010678, version 1 - 18 Oct 2005ADVANTAGES AND DISADVANTAGES 21AB CDFigure 1.3:An ad hoc network.Even when the machines do not necessarily need to be mobile,a wirelessnetwork avoids the burden of having cables between the machines.Fromthis point of view,setting a wireless network is simpler and faster.In severalcases,because of the nature and topology of the landscape,it is not possibleor desirable to deploy cables:battleﬁelds,search-and-rescue operations,orstandard communication needs in ancient buildings,museums,public exhi-bitions,train stations,or inter-building areas.While the immediate cost of a small wireless network (the cost of the net-work cards) may be higher than the cost of a wired one,extending the net-work is cheaper.As there are no wires,there is no cost for material,in-stallation and maintenance.Moreover,mutating the topology of a wirelessnetwork – to add,remove or displace a machine – is easy.On the other hand,there are some drawbacks that need to be pondered:The strength of the radio signal weakens (with the square of the distance),hence the machines have a limited radio range and a restricted scope of thenetwork.This causes the well-known hidden station problem [149]:con-sider three machines,and,where bothandare in radio rangetel-00010678, version 1 - 18 Oct 200522 INTRODUCTIONTO WIRELESS NETWORKINGofbut they are not in radio range of each other.This may happen be-cause the distance is greater than the and distances,as in Figure 1.4,or because of an obstacle betweenand.The hiddenstation problem occurs wheneveris transmitting:whenwants to sendto,cannot hear thatis busy and that a message collision would oc-cur,hencetransmits when it should not;and whenwants to send to,it mistakenly thinks that the transmission will fail,henceabstains fromtransmitting when it would not need to.A B CFigure 1.4:The hidden station problem.The site variably inﬂuences the functioning of the network:radio wavesare absorbed by some objects (brick walls,trees,earth,human bodies) andreﬂected by others (fences,pipes,other metallic objects,water).Wirelessnetworks are also subject to interferences by other equipment that shares thesame band,such as microwave ovens and other wireless networks.Considering the limited range and possible interferences,the data rate is of-ten lower than that of a wired network.However,nowadays some standardsoffer data rates comparable to those of Ethernet.Due to limitations of the medium,it is not possible to transmit and to listenat the same time,therefore there are higher chances of message collisions.Collisions and interferences make message losses more likely.Being mobile computers,the machines have limited battery and computationpower.This may entail high communication latency:machines may be offmost of the time (doze state i.e.power-saving mode) and turning on theirtel-00010678, version 1 - 18 Oct 2005ROUTING PROTOCOLS FOR AD HOC NETWORKS 23receivers periodically,therefore it is necessary to wait until they wake upand are ready to communicate.As data is transmitted over Hertzian waves,wireless networks are inherentlyless secure (see Chapter 3).In fact,transmissions between two computerscan be eavesdropped by any similar equipment that happens to be in radiorange.1.4 Routing protocols for ad hoc networksIn ad hoc networks,to ensure the delivery of a packet from sender to destination,each node must run a routing protocol and maintain its routing tables in memory.Routing protocols can be classiﬁed into the following categories:reactive,proactive,and hybrid.There exists nowadays almost one hundred routing pro-tocols,many standardized by the IETF (Internet Engineering Task Force) and oth-ers still at the stage of Internet-Draft.This section gives,for each category,anoverview of the most important ones.1.4.1 Reactive protocolsUnder a reactive (also called on-demand) protocol,topology data is given onlywhen needed.Whenever a node wants to know the route to a destination node,it ﬂoods the network with a route request message.This gives a reduced averagecontrol trafﬁc,with bursts of messages when packets need being routed,and anadditional delay due to the fact that the route is not immediately available.DSR (Dynamic Source Routing) [83,82] uses a source routing mechanism,i.e.the complete route for the packet is included in the packet header.Thisavoids path loops.To discover a route,a node ﬂoods a Route Request andawaits the answers;any receiving node adds its address to the Route Requestand retransmits the packet.Once the packet has reached its ﬁnal destinationnode,the latter reverses the route and sends the Route Reply packet.Thisis possible if the MAC protocol permits bidirectional communications;oth-erwise,the destination node performs another route discovery back to theoriginator.Every node maintains also a route cache,which avoids doing aroute discovery for already known routes.A mechanism of route mainte-nance allows the originator node to be alerted about link breaks in the route.AODV(Ad hoc On-demand Distance Vector routing) [119,121] is a distancevector routing protocol,i.e.routes are advertised as a vector of directionand distance.To avoid the Bellman-Ford"counting to inﬁnity"problem androuting loops,sequence numbers are utilized for control messages.To ﬁnd aroute to a destination,a node broadcasts a RREQ(Route REQuest) message.The RREQis relayed by receiving nodes until it reaches the destination or anintermediate node with a fresh route (i.e.a route with an associated sequencetel-00010678, version 1 - 18 Oct 200524 INTRODUCTIONTO WIRELESS NETWORKINGnumber equal or greater than that of the RREQ) to destination.Afterward,aRREP (Route REPly) message is unicast by the destination to the originatorof the RREQ.RERR(Route ERRor) messages are used to notify nodes aboutlink breaks.DSDV (Destination-Sequenced Distance-Vector routing) [120] is anotherdistance vector routing protocol,which requires each node to advertise itsrouting table to its neighbors.Route information contains a route sequencenumber,the destination’s address,the destination’s distance in hops,and thesequence number of the information received regarding the destination asstamped by the destination itself.1.4.2 Proactive protocolsIn opposition,proactive (also called periodic or table driven) protocols are char-acterized by periodic exchange of topology control messages.Nodes periodicallyupdate their routing tables.Therefore,control trafﬁc is more dense but constant,and routes are instantly available.OLSR (Optimized Link State Routing) is a link state routing protocol,de-scribed in detail in Section 1.4.4.OSPF (Open Shortest Path First) [110,32] is another link state routing pro-tocol,issued from the very ﬁrst link state protocols used in the ARPANETpacket switching network.OSPFmaintains information about network topol-ogy in a database stored in every node.Fromthis database,every node buildsa shortest-path tree to route a packet to its destination.Neighbor discoveryis accomplished through exchange of HELLOpackets.FSR (Fisheye State Routing) [54,118] is a scalability-supporting link stateprotocol.Each node broadcasts link state information of a destination toits neighbors,with a frequency inversely proportional to the destination’sdistance in hops;i.e.information about distant nodes is broadcast less of-ten.Therefore,every node has a precise knowledge of its local neighborhoodwhile knowledge of distant nodes is less precise (hence the name “Fisheye”).This makes the routing of a packet accurate near the source and the destina-tion.FSR is proﬁcient in handling large networks.TBRPF (Topology dissemination Based on Reverse-Path Forwarding) [115]is a link state protocol in which each node builds a source tree using partialtopology information stored in its topology table.The tree provides pathsto all reachable nodes and is computed using a modiﬁed Dijkstra algorithm.Each node periodically shares part of its tree with its neighbors.DifferentialHELLO messages,which report only changes in neighbors’ status,are usedfor neighbor discovery.tel-00010678, version 1 - 18 Oct 2005ROUTING PROTOCOLS FOR AD HOC NETWORKS 25ADV (Adaptive Distance Vector routing) [18] is a proactive protocol,butwith some reactive characteristics.Each node shares its route informationwith its neighbors,according to the Distributed Bellman-Ford distance vec-tor algorithm.However,in ADV a node maintains only routes to nodes thatare currently receivers of any active connection.Furthermore,the frequencyof route updates varies depending on the load and mobility of the network.ADV therefore quickly adapts itself to sudden changes on the network load.STAR(Source Tree Adaptive Routing) [49] uses a source tree,computed byevery node,in order to route packets.Every node then shares its whole treewith its neighbors.LANMAR (LANdMARk routing) [52,53] is a routing protocol aimed atlarge networks divided into logical groups.It assumes that every node isidentiﬁed by an addressing scheme containing the group ID and host ID.Nodes use a scoped routing protocol,e.g.FSR,to learn routes to nearbynodes.Every group elects a landmark;packets are routed towards the land-mark corresponding to the group ID of the destination,then delivered di-rectly to the destination.WRP (Wireless Routing Protocol) [111] is based on a path-ﬁnding algorithmthat reduces the probability or routing loops.In WRP,each node shares itsrouting tables with its neighbors,by communicating the distance and second-to-last hop to each destination.Nodes send an acknowledgement upon re-ception of update routes.Each nodes maintain a distance table,a routingtable,a link-cost table,and a message retransmission list.WIRP (Wireless Internet Routing Protocol) [48] is a routing protocol de-signed to operate with Wireless Internet Gateways (WINGs),improved self-adapting routers for the wireless ad hoc environment.The radio device iscontrolled by the FAMA-NCS protocol,which eliminates the hidden stationproblem in single-channel networks.WIRP interoperates with FAMA-NCSfor the link sensing mechanism.Each node builds a hierarchical routing treeand distributes it incrementally to its neighbors,by communicating only thedistance and the second-last-hop to each destination.Route updates must beacknowledged by each node.1.4.3 Hybrid protocolsHybrid protocols have both the reactive and proactive nature.Usually,the networkis divided into regions,and a node employs a proactive protocol for routing in-side its near neighborhood’s region and a reactive protocol for routing outside thisregion.ZRP (Zone Routing Protocol) [57] deﬁnes for every node a radius (in numberof hops) inside which packets are routed using a proactive routing protocol.tel-00010678, version 1 - 18 Oct 200526 INTRODUCTIONTO WIRELESS NETWORKINGRoutes for nodes outside the radius are discovered using a reactive routingprotocol.The working mode of ZRP is speciﬁed locally by IARP (IntrAzoneRouting Protocol) [59],and for the rest of the network (outside the radius)by IERP (IntErzone Routing Protocol) [58].CBRP (Cluster Based Routing Protocol) [81] divides the network into over-lapping or disjoint node clusters,each cluster being 2 hops in diameter.Forevery cluster,the cluster head node has the duty of exchanging route discov-ery messages with other cluster heads.A proactive routing protocol is usedinside every cluster,while inter-cluster routes are discovered reactively viaroute requests.1.4.4 The Optimized Link State Routing protocolThe Optimized Link State Routing (OLSR) protocol [31,79,29] is a proactive linkstate routing protocol for ad hoc networks.The core optimization of OLSRis the ﬂooding mechanismfor distributing linkstate information,which is broadcast in the network by selected nodes called Mul-tipoint Relays (MPR).As a further optimization,only partial link state is diffusedin the network.OLSR provides optimal routes (in terms of number of hops) and isparticularly suitable for large and dense networks.Speciﬁcations of the protocol were ﬁrst described in an Internet-Draft in Febru-ary 2000,and were ﬁnalized in RFC 3626 [31] in October 2003;there is also adraft for the version 2 of the protocol [27].Several implementations exist at thisday:OOLSR (the original,object-oriented implementation of OLSR by INRIAHIPERCOM),nlrolsrd (by the U.S.Naval Research Laboratory),OLSR_Niigata(by Niigata University),Qolyester (a Quality-of-Service enhanced version by LRI),OLSR11win (by the GRC,Universitat Politècnica de València),the olsr.org OLSRdaemon (by UniK,University of Oslo),H-OLSR (by Hitachi,Ltd.),and CRCOLSR (by the Communication Research Centre in Canada).A multicast exten-sion [95] has been proposed and is the object of an Internet-Draft (MOLSR) [80].OLSRmessage and packet formatOLSR control messages are communicated using a transport protocol deﬁned bya general packet format,given in Figure 1.5.Each packet encapsulates severalcontrol messages into one transmission.Control trafﬁc in OLSRis exchanged through two different types of messages:HELLO and TC (Topology Control) messages.HELLOmessages,shown in Fig-ure 1.6,are exchanged periodically among neighbor nodes,in order to detect linksto neighbors and to signal MPR selection.TC messages,shown in Figure 1.7,areperiodically ﬂooded to the entire network,in order to diffuse link state informationto all nodes.The other OLSR control messages are MID (Multiple Interface Declaration)and HNA (Host and Network Association).MID and HNA messages are emittedtel-00010678, version 1 - 18 Oct 2005ROUTING PROTOCOLS FOR AD HOC NETWORKS 270 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Packet Length | Packet Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Message Type | Vtime | Message Size |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Originator Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time To Live | Hop Count | Message Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |:MESSAGE:| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Message Type | Vtime | Message Size |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Originator Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Time To Live | Hop Count | Message Sequence Number |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| |:MESSAGE:| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+::Figure 1.5:OLSR packet format.tel-00010678, version 1 - 18 Oct 200528 INTRODUCTIONTO WIRELESS NETWORKINGonly by nodes that have multiple interfaces.To avoid collisions,the OLSRprotocoladds an amount of jitter to the interval at which all control messages are generated.While messages may potentially be broadcast to the entire network,packetsare transmitted only between neighbor nodes.The unit of information subject tobeing forwarded is a “message”.An individual OLSR control message can beuniquely identiﬁed by its Originator Address and Message SequenceNumber (MSN),both from the message header.The Originator Addressﬁeld speciﬁes the originator of a message,and does not change as the message isrelayed around the network;the address contained in this ﬁeld is different (exceptat the ﬁrst hop,when the message is created) from the IP header source address,which is changed at each hop to the address of the retransmitting node.A node may receive the same message several times.Therefore,to avoid pro-cessing and sending multiple times the same message,a node records informationabout each received message.This information is stored in a tuple consisting ofthe message’s originator address,the MSN,a boolean value indicating whether themessage has already been retransmitted,the list of interfaces on which the messagehas been received,and the tuple’s expiration time.All tuples are maintained in theDuplicate Set (also known as Duplicate Table) of the node.The common packet format allows individual messages to be piggybacked andtransmitted together in one emission,if allowed by the MTU size.Therefore dif-ferent kind of control messages can be emitted together,although processed andforwarded differently in each node;e.g.HELLOmessages are not forwarded whileall other control messages are.OLSR does not handle unicast communications:a message from a node iseither transmitted to all its neighbors or to all nodes in the network.HELLOmessages contain a list of neighbors from which control trafﬁc has beenheard (but with which bidirectional communication is not yet conﬁrmed),a list of neighbors with which bidirectional communication has been estab-lished,and a list of neighbors that have been selected to act as a Multi-point Relay for the originator of the HELLO message.Each NeighborInterface Address ﬁeld contains the address of an advertised neigh-bor,and the relevant Link Code ﬁeld contains its link status as a combi-nation of Link Type and Neighbor Type.Table 1.1 lists the constants’ valuesfor this last ﬁeld,as speciﬁed by the protocol documentation [31].Upon receiving a HELLO message,a node examines the lists of addresses.If its own address is included in the addresses encoded in the HELLOmes-sage,bidirectional communication is possible (symmetrical link) betweenthe originator and the recipient of the HELLOmessage,i.e.the node itself.In addition to information about neighbor nodes,periodic exchange of HELLOmessages allows each node to maintain information describing the links be-tween neighbor nodes and nodes which are two hops away.This informationis recorded in a nodes 2-hop neighbor set and is utilized for MPR optimiza-tion.tel-00010678, version 1 - 18 Oct 2005ROUTING PROTOCOLS FOR AD HOC NETWORKS 29Link TypesUNSPEC_LINKNo informationASYM_LINKLink is asymmetrical,i.e.neighbor is heardSYM_LINKLink is symmetricalLOST_LINKLink has been lostNeighbor TypesSYM_NEIGHNeighbor is symmetricMPR_NEIGHNeighbor has been selected as MPRNOT_NEIGHNode is no longer/not yet symmetric neighborTable 1.1:Constants for the Link Code ﬁeld in a HELLO.HELLOmessages are exchanged periodically between neighbor nodes only,and are not forwarded further.TC messages have the purpose to diffuse link state information,and more pre-cisely information about the “last hop”,to the entire network.A TC mes-sage contains a set of symmetric neighbors (i.e.neighbors which have atleast one symmetrical link with the originator of the TCmessage) [28],eachone contained in a Advertised Neighbor Main Addressﬁeld.TCmessages are periodically ﬂooded to the entire network,exploiting the MPRoptimization.Only nodes which have been selected as an MPR generate(and relay) TC messages.The TCmessage bears an ANSN ﬁeld which contains the Advertised Neigh-bor Sequence Number.This number is associated with the node’s advertisedneighbor set,and is incremented each time the node detects a change in thisset.MID messages are emitted only by a node with multiple OLSRinterfaces,in orderto announce information about its interface conﬁguration to the network.A MID message contains a list of addresses,each address belonging to anOLSR interface of the sending node.HNAmessages are emitted only by a node with multiple non-MANET interfaces,and have the purpose of providing connectivity from a OLSR network to anon-OLSR network.The gateway sends HNA messages containing a list ofaddresses of the associated networks and their netmasks.Multipoint Relay selection and signalingThe OLSRbackbone for message ﬂooding is composed of Multipoint Relays.Eachnode must select MPRs from among its symmetric neighbor nodes such that amessage emitted by a node and repeated by the MPR nodes will be received bytel-00010678, version 1 - 18 Oct 200530 INTRODUCTIONTO WIRELESS NETWORKING0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Reserved | Htime | Willingness |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Link Code | Reserved | Link Message Size |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Neighbor Interface Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Neighbor Interface Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+:...:::+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Link Code | Reserved | Link Message Size |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Neighbor Interface Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Neighbor Interface Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+::Figure 1.6:HELLOmessage format.0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| ANSN | Reserved |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Advertised Neighbor Main Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| Advertised Neighbor Main Address |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|...|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+Figure 1.7:TC message format.tel-00010678, version 1 - 18 Oct 2005ROUTING PROTOCOLS FOR AD HOC NETWORKS 31all nodes two hops away.In fact,in order to achieve a network-wide broadcast,abroadcast transmission needs only be repeated by just a subset of the neighbors:this subset is the MPRset of the node.Hence only MPRnodes relay TC,MID,andHNA messages.Figure 1.8 shows the node in the center,with neighbors and 2-hop neighbors,broadcasting a message.In (a) all nodes retransmit the broadcast,while in (b) onlythe MPRs of the central node retransmit the broadcast.(a) (b)Figure 1.8:Pure ﬂooding and MPR ﬂooding.The MPR set of a node is computed heuristically [129].MPR selection is per-formed based on the 2-hop neighbor set received through the exchange of HELLOmessages,and is signaled through the same mechanism.Each node maintains anMPR selector set,describing the set of nodes that have selected it as MPR.Security considerationsThe standard OLSRspeciﬁcation document does not take account of security mea-sures.It enumerates possible vulnerabilities to which OLSR is subject.Thesevulnerabilities include breach of conﬁdentiality,breach of integrity,non-relaying,replay,and interaction with an insecure external routing domain.We give in Chapter 2 a brief overview on system security,and in Chapter 3 adetailed description of the attacks against OLSR and against the routing protocolsin general.A mechanism designed to secure the OLSR protocol is presented inChapter 5.tel-00010678, version 1 - 18 Oct 2005Chapter 2SystemsecurityA secure system may be deﬁned as a system that does exactly what its designersconceived it for and does not showany unexpected behavior,even when an attackertries to make the system act differently.A deﬁnition of security is indeed incomplete without specifying against whoor what the system is secured.Furthermore,as absolute security is impossible toobtain,a report about the cost/beneﬁt balance must be established.It must be recalled that enforcing security requires that the defender covers allpoints of possible attack,as,for the attacker,it is sufﬁcient to focus its efforts onone weak point in order to succeed.Therefore a system is only as secure as itsless reliable security point.This is synthesized in the widely known expression:“achain is as strong as its weakest link”.When talking about security of a communications network,there are differentareas in which this topic applies.The major security goals are deﬁned with theterms which follow;for each goal,the associated attack is identiﬁed.The namecan describe either the functioning of the attack or its effect.Conﬁdentiality,privacy,secrecyEavesdroppingConﬁdentiality means that the transmitted information is only disclosed toauthorized parties.Sensitive information disclosed to an adversary couldhave severe consequences.IntegrityMessage tamperingIntegrity assumes that a message is not altered in transit between sender andreceiver.Messages could be corrupted due to network malfunctioning ormalicious attacks.Non-repudiationMessage forgeryNon-repudiation means that the originator of a message cannot deny havingsent the message.An attacker could forge a wrong message that appears tobe originating from an authorized party,with the aim of making the partythe culprit.If non-repudiation is guaranteed,the receiver of a wrong mes-tel-00010678, version 1 - 18 Oct 2005CRYPTOGRAPHYBASICS 33sage can prove that the originator sent it,and that therefore the originatormisbehaved.Other security goals may be more difﬁcult to achieve.Note that attacks canbe combined,e.g.the intruder may break into the system in order to prepare aDoS from inside,or may perform eavesdropping with the purpose of later gainingunauthorized access.AuthenticationIdentity spooﬁng,impersonationAuthentication ensures the identity of the party with which communicationsare exchanged,before granting it access to the network.Without authentica-tion,an attacker could masquerade as a legitimate party (identity spooﬁng)and interfere with the security of the network.Access controlBreaking,unauthorized accessAccess control means that only authorized parties can participate in the com-munications;any other entity is denied access.Access control presumesauthentication of the party trying to have access to the network.Service availabilityDenial of ServiceService availability must guarantee that all resources of the communicationsnetwork are always utilizable by authorized parties.An attacker may launcha Denial of Service (DoS) attack by saturating the medium,jamming thecommunications,or keeping the system resources busy in any other way.The aim here is just to impede authorized parties from having access to theresources,thereby making the network unusable.Many security countermeasures are achieved by the use of cryptography [139,13].2.1 Cryptography basicsEncryption is the process of disguising a message in such a way that it hides itscontent;the operation consists in transforming the message from plaintext to ci-phertext.The inverse process is called decryption.It is also possible to add a message digest,also called a hashing or digitalﬁngerprint,to the message so that the integrity of the message can be veriﬁed.Signing a message means,instead,to add a sequence of bits (a digital signa-ture) to the message in order to identify its real originator.These techniques are performed by using a cryptographic algorithm (cipher)and a key,whose format depends on the algorithm used.It is often necessary toapply more than one technique,i.e.a message can be encrypted and then digitallysigned.With respect to the aforementioned security attributes:tel-00010678, version 1 - 18 Oct 200534 SYSTEMSECURITYthe encryption provides conﬁdentiality,because the messages is transmittedin ciphertext,and only the owner of the key can decrypt the ciphertext;the message digest provides integrity;the signature provides non-repudiation,as only the owner of the key couldhave generated it.Authentication,and subsequent access control,is more complicated to obtain andrequires the use of more advanced cryptographic primitives,while service avail-ability is not the concern of cryptography.It is likely that information that was true at some time in the past may notbe true anymore in the present.A common problem is that,even assuming a di-gest or signature is successfully checked,previously transmitted messages can besent again by an attacker.That is,an intruder may record a bulk of messages andre-send them some time later;these messages,if they cannot be identiﬁed as old(by some deﬁnition of “old”),will be accepted as valid because they are properlysigned.This is known as replay attack,and may easily disrupt communications.Tooppose replay attacks,messages usually embed a piece of time information,calledtimestamp,describing the time at which the message was generated.The time-stamp is included in the computation of the signature.Timestamps are discussedin detail in Chapter 7.An adversary may exploit possible weaknesses in cryptographic functions.Forinstance,when relaying a control message with digest fromone node to another,anattacker may replace the original message with a forged one which,due to a ﬂawinthe digesting algorithm,has the same digital ﬁngerprint.The adversary discoversthese ﬂaws using different techniques e.g.plaintext-chosen or brute-force attacks,depending on the data available to work on.These kinds of codebreaking attacks(cryptanalysis) are aimed against the cryptographic layer,and do not require thedisclosure of any key to the attacker.However,when designing security schemesthat rely on cryptography,it is usually assumed that cryptographic primitives arerobust against these attacks.Two branches of cryptography exist:symmetric cryptography and asymmetriccryptography.Each is useful to perform different functions.2.1.1 Symmetric cryptographySymmetric cryptography (also called secret key cryptography,single key cryptog-raphy,or one key cryptography) is the most ancient form of cryptography.Sym-metric cryptography is based on symmetric key algorithms,i.e.algorithms wherethe encryption key and the decryption key are the same (or,more broadly,wherethe encryption key can be computed from the decryption key and vice versa).Thesender and the receiver of a message must agree on a secret shared key,whichwill henceforth be used to encrypt,decrypt,and generate a digest on exchangedmessages.tel-00010678, version 1 - 18 Oct 2005CRYPTOGRAPHYBASICS 35EncryptionSome of the symmetric algorithms for encryption are:DES with its improvementsTriple DES and AES,IDEA,LOKI,Lucifer,Skipjack,Vernam (also known asone-time pad),RC2,and RC4.To this class of algorithms also belong the ancient substitution and transposi-tion ciphers,like Caesar,Mary Stuart’s,Pigpen,Vigenere,Playfair,and ADFGVX.These ciphers were in use centuries ago,in the pre-computer era,and are not usedanymore because they are easy to break by applying cryptanalysis.Message digestSymmetric algorithms make large use of hash functions [106] for digesting.Ahashfunctionmaps a bitstring of arbitrary ﬁnite length to another bitstring of ﬁxedlength,wheredepends on.The hash function hence outputs a hash valuewhich is a condensed representative image of the bitstring fed in input.Changingjust one bit of the input string results in a very different hash value in output;thisis known as the avalanche effect.A hash functionshould have the following properties:be one-way,i.e.given an outputit is computationally infeasible to ﬁnd aninputsuch that(preimage resistance);given an inputit is computationally infeasible to ﬁnd another inputsuch that(second preimage resistance);it is computationally infeasible to ﬁnd two inputs ,with ,suchthat(collision resistance).Examples of hash functions are MD5 (Message Digest 5) [134] which is thesuccessor of MD4,Snefru,RIPEMD-160,and the class of SHA (Secure Hash Al-gorithm) functions [113] such as SHA-1 [40] and SHA-256.Cryptographic literature often references a random oracle [10,23].A randomoracle is a theoretical model of a “perfect” hash function which returns an answeruniformly selected amongst all possible answers.A hash function may be used in conjunction with a secret shared key (e.g.byconcatenating the key to the hash input) to construct a keyed hash function.Inthis case,the digest is more often called Message Authentication Code (MAC)1.This is the foundation of the HMAC mechanism [9,91].The resulting keyed hashfunction is called with a name that depends on the hash function used,for instanceHMAC-MD5,HMAC-RIPEMD,or HMAC-SHA1.1To avoid confusion,in this thesis we use the acronymMAC for Medium Access Control only inthe phrases “MAC layer”,“MAC protocol”,or “MAC address”.In all other contexts,the meaningof MAC must be intended as Message Authentication Code.tel-00010678, version 1 - 18 Oct 200536 SYSTEMSECURITY2.1.2 Asymmetric cryptographyIn asymmetric cryptography (also called public key cryptography),there is a keyfor encryption (public key) and another key for decryption (private key or secretkey).A public and its companion private key compose a key pair;knowing a pub-lic key,it is computationally infeasible to calculate the companion private key.Aparty can leave its public key available to everyone,e.g.by publishing the keyin a public directory;its private key needs to be kept undisclosed.All public keyexchange may be done over an insecure channel,i.e.a channel that may be subjectto eavesdropping.Public key cryptography therefore requires a Public Key In-frastructure (PKI) to authenticate the parties,generate the key pairs,or distribute,update and revoke the public keys.Public key cryptography was introduced by Difﬁe and Hellman [35] in 1976(and developed further by Merkle [107]),but independently discovered some yearsearlier by Cocks and Williamson of GCHQ.The Difﬁe-Hellman key agreementprotocol allows two parties to share a secret key over an insecure channel.One of the greatest problems in a PKI is about how to bind a public key withits legitimate owner – that is,how to be sure that a speciﬁc public key belongsto a party and not to an impostor,which would then be able to decrypt messagessupposedly sent to that party.If two parties,Alice and Bob (we call them so in thetradition of cryptographic literature),want to exchange their public keys,they coulddo it over the same insecure channel that is used afterward to swap their encryptedmessages.However,if an adversary is able to tamper with communications overthe channel,it can make the protection unsuccessful.This is a kind of doubleidentity spooﬁng,called man-in-the-middle attack,in which an adversary stays inthe communication channel between two parties and acts with a party as the otherparty.The parties are deluded that they are talking with each other,while in factthe invisible adversary relays their messages.The attack is performed as follows.The adversary generates two public/privatekey pairs    .Alice sends her public keyto Bob,but theadversary intercepts it,substitutes the legitimate key with its public key ,andsends to Bob.Bob sends his public keyto Alice,but the adversary inter-cepts and substitutes it with,which is sent to Alice.As a result,Alice mis-takenly believes Bob’s public key to be,and Bob mistakenly believes Alice’spublic key to be ,while both keys are owned by the adversary:Alice    adversary     Bob From this point on,the adversary intercepts unnoticed any message sent fromAlice,decrypts it with,reads it,re-encrypts it with,and sends the messageto Bob which decrypts it with his private key.In the opposite direction,the ad-versary intercepts any message fromBob,decrypts it with ,reads it,re-encryptsit with ,and sends the message to Alice which decrypts it with her private keytel-00010678, version 1 - 18 Oct 2005CRYPTOGRAPHYBASICS 37 .Therefore,the adversary is able to read any message exchanged between Al-ice and Bob,while they are unaware of the adversary’s presence and think theircommunications are kept conﬁdential.One solution to this problem involves a Trusted Third Party,which must betrusted by everyone.The TTP stores the public key of every participant and guar-antees on the owner of each key.Depending on the implementation,the TTP iscalled Key Distribution Center (KDC) or Certiﬁcation Authority (CA).A Certiﬁ-cation Authority delivers certiﬁcates containing the identity of the key’s owner,itspublic key,the certiﬁcate validity dates,and other information;each certiﬁcate issigned by the CA,which public key is known a priori by every participant.For instance,the solution of bestowing a Certiﬁcation Authority is broadly uti-lized in the SSL/TLS protocol [148] (on which HTTPS,the secured Internet proto-col,is based),IPsec,S/MIME,and others.SSL certiﬁcates follow the X.509 stan-dard [50,63] developed by the International Telecommunication Union - Telecom-munication Standardization Sector,and can be delivered by many commercialCAs:RSA Security Inc.,VeriSign,ValiCert,and VISA,just to name a few.Thepublic key of each CA is embedded in web browsers and other network applica-tions.Public institutions and government agencies may have their own CAs,too.However,the existence of a trusted party is a point of fragility of the wholePKI.If the deliver of public keys is done on demand,an adversary could paralyzethe whole network by launching a Denial of Service attack against the KDC.Fur-thermore,by compromising a Certiﬁcation Authority,the attacker can issue fakecertiﬁcates for any identity it wishes,to prepare spooﬁng and man-in-the-middleattacks.EncryptionTo securely send a message,the sender retrieves the receiver’s public key,encryptsthe message,and sends it to the receiver which can decrypt it with its private key.Examples of asymmetric ciphers for encryption and decryption are RSA(Rivest-Shamir-Adleman) [135,136],Knapsack,and ElGamal;other ciphers are instancesof elliptic curve cryptography (ECC) applied to canonical algorithms,such as ECCElGamal.ECCis an approach to the public key problembased on the mathematicsof elliptic curves.SignatureAsymmetric ciphers for signatures are composed of a private and a public part.Tosign a message,the sender uses the private algorithm.The receiver of the messagethen veriﬁes the signature by applying the public algorithm.For simplicity,it isoften said that the sender uses its private key to sign while the receiver veriﬁes thesignature with the sender’s public key.This is the case of RSA,where the sender generates a hash of the message andencrypts it with its private key.The receiver will use the sender’s public key totel-00010678, version 1 - 18 Oct 200538 SYSTEMSECURITYdecrypt the sent hash and check if it matches the recomputed hash.This worksbecause,in a RSAkey pair,both the public and private key can be used to encrypt,while the other key is used to decrypt.Examples of asymmetric schemes to generate digital signatures are Fiat-Shamir,Ong-Schnorr-Shamir,and DSS (Digital Signature Standard) [114] which includesDSA (Digital Signature Algorithm);ECC schemes such as ECNR (Elliptic CurveNyberg-Reuppel) and ECDSA;and,again,RSA and ElGamal.2.1.3 Symmetric vs.asymmetric cryptographySymmetric and asymmetric cryptography has both weak and strong points.Argu-ments in favor of symmetric cryptography are:The data throughput rate is much higher with symmetric ciphers,which alsoneed less computation power.For the same level of security,the key size is much smaller with symmetricciphers.Also,a symmetric digest is smaller than an asymmetric signature.On the other hand,asymmetric cryptography is superior in some perspectives:In symmetric cryptography,the shared key must be kept secret.In asymmet-ric cryptography,only the private key need to be kept secret,while the publickey can (and should) be publicly disclosed.Key management is somewhat easier in asymmetric cryptography.To han-dle a secured message exchange betweenparties,the number of symmetrickeys to manage is,as there aresymmetric keys.Fur-thermore,if these keys are committed to a Trusted Third Party,this TTPmust be unconditionally trusted as it is theoretically able to encrypt and de-crypt any message fromor to any party.Using asymmetric cryptography,thenumber of keys to manage is just.Only the public keys are entrustedto the TTP,which therefore needs only to be conditionally trusted.Considering the level of security offered,a public/private key pair may re-main unchanged for many sessions.Symmetric keys should be renewedmore often (even once per session) to guarantee the same level of security.In summary,symmetric cryptography is efﬁcient for encryption and data in-tegrity tests,whilst asymmetric cryptography is cogent to generate digital signa-tures and manage keys.A cleverly designed cryptographic application would ex-ploit the advantages of both schemes:a public key exchange could be used to es-tablish a symmetric key between two parties,while further communications wouldbe encrypted using the symmetric key.tel-00010678, version 1 - 18 Oct 2005CRYPTOGRAPHYBASICS 39The next chapter provides a classiﬁcation of the attacks against the routinglayer.In Chapter 4 and 5,we show how cryptography can be used to thwart theseattacks and enforce security.Chapter 6 offers a dissertation on the available ci-phers,considering the requirements and limitations of an ad hoc environment.tel-00010678, version 1 - 18 Oct 2005Chapter 3Attacks against ad hoc networksWhile a wireless network is more versatile than a wired one,it is also more vul-nerable to attacks.This is due to the very nature of radio transmissions,which aremade on the air.On a wired network,an intruder would need to break into a machine of the net-work or to physically wiretap a cable.On a wireless network,an adversary is ableto eavesdrop on all messages within the emission area,by operating in promiscu-ous mode and using a packet sniffer (and possibly a directional antenna).Thereis a wide range of tools available to detect,monitor and penetrate an IEEE 802.11network,such as NetStumbler1,AiroPeek2,Kismet3,AirSnort4,and Ethereal5.Hence,by simply being within radio range,the intruder has access to the networkand can easily intercept transmitted data without the sender even knowing (for in-stance,imagine a laptop computer in a vehicle parked on the street eavesdroppingon the communications inside a nearby building).As the intruder is potentiallyinvisible,it can also record,alter,and then retransmit packets as they are emittedby the sender,even pretending that packets come from a legitimate party.Furthermore,due to the limitations of the medium,communications can easilybe perturbed;the intruder can perform this attack by keeping the medium busysending its own messages,or just by jamming communications with noise.3.1 Attacks against the routing layer in MANETsWe now focus on attacks against the routing protocol in ad hoc networks.Theseattacks may have the aim of modifying the routing protocol so that trafﬁc ﬂowsthrough a speciﬁc node controlled by the attacker.An attack may also aim atimpeding the formation of the network,making legitimate nodes store incorrect1http://www.netstumbler.com/downloads2http://www.wildpackets.com/products/airopeek3http://www.kismetwireless.net4http://sourceforge.net/projects/airsnort5http://www.ethereal.comtel-00010678, version 1 - 18 Oct 2005ATTACKS AGAINST THE ROUTING LAYER IN MANETS 41routes,and more generally at perturbing the network topology.Attacks at the routing level can be classiﬁed into two main categories:incor-rect trafﬁc generation and incorrect trafﬁc relaying6.Sometimes these coincidewith node misbehaviors that are not due to malice,e.g.node malfunction,batteryexhaustion,or radio interference.3.1.1 Incorrect trafﬁc generationThis category includes attacks which consist in sending false control messages:i.e.control messages sent on behalf of another node (identity spooﬁng),or controlmessages which contain incorrect or outdated routing information.The networkmay exhibit Byzantine [94] behavior,i.e.conﬂicting information in different partsof the network.The consequences of this attack are degradation in network com-munications,unreachable nodes,and possible routing loops.Cache poisoningAs an instance of incorrect trafﬁc generation in a distance vector routing protocol,an attacker node can advertise a zero metric for all destinations,which will causeall the nodes around it to route packets toward the attacker node.Then,by droppingthese packets (blackhole attack,see Section 3.1.2),the attacker causes a large partof the communications exchanged in the network to be lost.In a link state protocol,the attacker can falsely declare that it has links with distant nodes.This causesincorrect routes to be stored in the routing table of legitimate nodes,also known ascache poisoning.Message bombing and other DoS attacksThe attacker can also try to perform Denial of Service on the network layer bysaturating the mediumwith a stormof broadcast messages (message bombing),re-ducing nodes’ goodput and possibly impeding nodes from communicating.(Thisis not possible under hybrid routing protocols,where nodes cannot issue broadcastcommunications [154].) The attacker can even send invalid messages just to keepnodes busy,wasting their CPUcycles and draining their battery power.In this casethe attack is not aimed at modifying the network topology in a certain fashion,butrather at generally perturbing the network functions and communications.On the transport layer,Kuzmanovic and Knightly [92] demonstrate the effec-tiveness of a low-rate DoS attack performed by sending short bursts repeated with aslowtimescale frequency (shrew attack).In the case of severe network congestion,TCP operates on timescales of Retransmission Time Out (RTO).The throughput(composed of legitimate trafﬁc as well as DoS trafﬁc) triggers the TCP congestion6Nodes’ throughput is composed of two kinds of trafﬁc:control packets and data packets.Herewe consider only the former.tel-00010678, version 1 - 18 Oct 200542 ATTACKS AGAINST AD HOC NETWORKScontrol protocol,so the TCP ﬂow enters a timeout and awaits a RTO slot beforetrying to send another packet.If the attack period is chosen to approximate theRTO of the TCP ﬂow,the ﬂow repeatedly tries to exit timeout state and fails,pro-ducing zero throughput.If the attack period is chosen to be slightly greater thanthe RTO,the throughput is severely reduced.This attack is effective because thesending rate of DoS trafﬁc is too low to be detected by anti-DoS countermeasures.Another DoS performed on the transport layer is the subtle jellyﬁsh attack byAad et al.[1],that deserves particular attention.Its authors point out that,remark-ably,it does not disobey the rules of the routing protocol,even if we may arguethat,strictly speaking,this is not always the case.But is indeed true that the jelly-ﬁsh attack is difﬁcult to distinguish from congestion and packet losses that occurnaturally in a network,and therefore is hard and resource-consuming to detect.This DoS attack can be carried out by employing several mechanisms.Oneof the mechanisms of the jellyﬁsh attack consists in a node delivering all receivedpackets,but in scrambled order instead of the canonical FIFO order.DuplicateACKs derive fromthis malicious behavior,which produces zero goodput althoughall sent packets are received.This attack cannot be successfully opposed by theactual TCP packet reordering techniques,because such techniques are effective onsporadic and non-systematic reordering.The second mechanism is the same as that used in the shrew attack,and in-volves performing a selective blackhole attack by dropping all packets for a veryshort duration at every RTO.The ﬂowenters timeout at the ﬁrst packet loss causedby the jellyﬁsh attack,then periodically re-enters the timeout state at every elapsedRTO.The third mechanism consists in holding a received packet for a random timebefore processing it,increasing delay variance.This causes TCP trafﬁc to be sentin bursts,therefore increasing the odds of collisions and losses;it increases theRTOvalue excessively;and it causes an incorrect estimation of the available band-width in congestion control protocols based on packet delays.DoS attacks can also be carried over on the physical layer (e.g.jamming orradio interference);in this case,they can be dealt with by using physical techniquese.g.spread spectrum modulation [126].In sum,Denial of Service can be accomplished over different layers and inseveral ways,and is quite difﬁcult to counteract,even on a wired medium.Thetopics regarding a full protection against DoS attacks are beyond the scope of thisthesis,and therefore are not discussed in detail.3.1.2 Incorrect trafﬁc relayingNetwork communications coming from legitimate,protocol-compliant nodes maybe polluted by misbehaving nodes.tel-00010678, version 1 - 18 Oct 2005ATTACKS AGAINST THE ROUTING LAYER IN MANETS 43Blackhole attackAn attacker can drop received routing messages,instead of relaying them as theprotocol requires,in order to reduce the quantity of routing information availableto the other nodes.This is called blackhole attack by Hu et al.[66],and is a“passive” and a simple way to perform a Denial of Service.The attack can bedone selectively (drop routing packets for a speciﬁed destination,a packet everypackets,a packet everyseconds,or a randomly selected portion of the packets) orin bulk (drop all packets),and may have the effect of making the destination nodeunreachable or downgrade communications in the network.7Message tamperingAn attacker can also modify the messages originating from other nodes beforerelaying them,if a mechanism for message integrity (i.e.a digest of the payload)is not utilized.Replay attackAs topology changes,old control messages,though valid in the past,describe atopology conﬁguration that no longer exists.An attacker can perform a replayattack by recording old valid control messages and re-sending them,to make othernodes update their routing tables with stale routes.This attack is successful evenif control messages bear a digest or a digital signature that does not include atimestamp.Wormhole attackThe wormhole attack [67] is quite severe,and consists in recording trafﬁc fromone region of the network and replaying it in a different region.It is carried out byan intruder nodelocated within transmission range of legitimate nodesand,whereandare not themselves within transmission range of each other.Intruder nodemerely tunnels control trafﬁc betweenand(and vice versa),without the modiﬁcation presumed by the routing protocol – e.g.without statingits address as the source in the packets header – so thatis virtually invisible.This results in an extraneous inexistent  link which in fact is controlled by,as shown in Figure 3.4.Nodecan afterwards drop tunneled packets or breakthis link at will.Two intruder nodesand,connected by a wireless or wired7Even if a node correctly generates,processes and forwards control trafﬁc,it may act maliciouslyby not forwarding data trafﬁc.The node thereby breaks the connectivity in the network;however,this connectivity loss is not detected by the routing protocol because control trafﬁc is relayed asrequired.This type of situation may also be due to wrongly conﬁgured nodes:routing capabilities(through IP forwarding) are disabled by default in most operating systems,and need to be enabledmanually.Failing to do so effectively causes data trafﬁc not to be routed while control trafﬁc,whichis forwarded by action of the routing daemon,is correctly transmitted.tel-00010678, version 1 - 18 Oct 200544 ATTACKS AGAINST AD HOC NETWORKSprivate medium,can also collude to create a longer (and more harmful) wormhole,as shown in Figure 3.5.The severity of the wormhole attack comes from the fact that it is difﬁcult todetect,and is effective even in a network where conﬁdentiality,integrity,authen-tication,and non-repudiation (via encryption,digesting,and digital signature) arepreserved.Furthermore,on a distance vector routing protocol,wormholes are verylikely to be chosen as routes because they provide a shorter path – albeit com-promised – to the destination.Marshall [103] points out a similar attack,calledthe invisible node attack by Carter and Yasinsac [24],against the Secure RoutingProtocol [116].Rushing attackAn offensive that can be carried out against on-demand routing protocols is therushing attack [68].Typically,on-demand routing protocols state that nodes mustforward only the ﬁrst received Route Request fromeach route discovery;all furtherreceived Route requests are ignored.This is done in order to reduce cluttering.The attack consists,for the adversary,in quickly forwarding its Route Requestmessages when a route discovery is initiated.If the Route Requests that ﬁrst reachthe target’s neighbors are those of the attacker,then any discovered route includesthe attacker.3.2 Attacks against the OLSR protocolWe nowdiscuss various security risks in OLSR[3,30].The aimis not to emphasizeﬂaws in OLSR,as it did not include security measures in its design,like severalother routing protocols.While these vulnerabilities are speciﬁc to OLSR,they canbe seen as instances of what other link state routing protocols,such as OSPF,aresubject to.This section illustrates the principal hazards.More ingenious attacks may becarried over against almost any operating function of the protocol.It is worth noting that a node can force its election as an MPR by setting theWillingnessﬁeld to the WILL_ALWAYS constant in its HELLOs.Accordingto the protocol,its neighbors will always select it as an MPR.Using this mecha-nism,a compromised node can easily gain,as an MPR,a privileged position insidethe network.It can then exploit its importance to carry out DoS attacks and suchlike.Note also that an attacker performing identity spooﬁng or message replay needsto change the Message Sequence Number ﬁeld of the spoofed or replayedmessage.Otherwise,nodes that already have received a message with the sameoriginator and MSN(according to their Duplicate Set) will drop the malicious mes-sage.Furthermore,accepting the malicious message causes message loss when alegitimate message having the same originator and MSN is received by the victimtel-00010678, version 1 - 18 Oct 2005ATTACKS AGAINST THE OLSR PROTOCOL 45nodes,and dropped according to the protocol.3.2.1 Incorrect trafﬁc generationOne way in which a node can misbehave is by generating control messages in away that is not according to the protocol.Incorrect HELLOmessage generationA misbehaving nodemay send HELLO messages with a spoofed originatoraddress set to that of node